For most of the history of cybercrime, social engineering meant a convincing email or a plausible phone call. What's changed is the addition of AI-generated voice and video — tools that can replicate a person's voice from a few minutes of audio, or produce a video call where the face and speech of a trusted contact appear entirely real. Deepfake incidents increased by 880% in 2025. The technology is no longer experimental. It is being used against businesses right now.
This is not a distant threat that requires sophisticated, targeted attackers. Voice cloning tools are freely available. A brief clip from a CEO's LinkedIn video, a recorded webinar, or a company podcast is enough to generate convincing synthetic speech. For small businesses, where a single finance team member might process payments with minimal oversight, the consequences of a successful attack can be severe. This post explains what these attacks look like, where they are working, and what practical steps reduce your risk.
How Deepfake Attacks Work in Practice
The mechanics are less complex than most people assume. Attackers don't need to build their own AI tools — they use commercially available voice synthesis and video generation services, many of which are accessible for a few pounds a month. The attack chain typically works as follows: identify a target business, find publicly available audio or video of a senior executive (LinkedIn, YouTube, company website, podcast), generate synthetic speech, and use it to place a phone call or send a voice message to a member of staff with payment authority.
In 2024, a finance employee at a multinational firm was manipulated into transferring £20 million after a video call in which every participant — including the CFO — was a deepfake. The employee only realised the fraud after contacting head office directly. This case, widely reported, is now cited as the reference point for what the technology can achieve.
That example involved a large enterprise, but the same techniques are increasingly being used against small businesses, where financial controls are often less formal, staff are more likely to personally recognise and trust an executive's voice, and there is less infrastructure for verifying unusual requests.
Real-World Attack Scenarios
A member of your finance team receives a phone call from what sounds like your CEO or MD — same voice, same speech patterns. The caller explains there's an urgent, confidential acquisition deal that requires an immediate bank transfer before close of business. Don't discuss it with anyone else. Just action it.
The call lasts under two minutes. The employee, not wanting to obstruct a senior leader, transfers the funds. The CEO knows nothing about it.
You receive a WhatsApp video message from what appears to be your account manager at a key supplier. Their face is familiar from previous calls. They explain that their bank details have changed and ask you to update your records before the next payment run. They provide the new details in the message.
The account manager's face and voice were generated from video call recordings. The bank account belongs to the attacker.
A staff member receives a call from someone claiming to be from IT support, with a voice that sounds like a colleague they've spoken to before. There's an urgent security issue with their account — they need to provide their login credentials or install a remote access tool immediately.
The voice was cloned from internal recordings. The "colleague" does not exist in this form.
Why Traditional Verification Doesn't Work Anymore
The standard advice for social engineering attacks has always been: if something seems unusual, call back on a known number to verify. That advice remains correct — but it no longer provides complete protection, because attackers have adapted to it.
Callback verification assumes the caller's voice is a reliable signal. If the voice itself can be synthesised, a callback to a spoofed number from a caller using a cloned voice meets the "sounds right" test. Similarly, email follow-up from a convincing lookalike domain satisfies the "got it in writing" instinct.
Verification cannot rely on voice, video, or email alone. Any request involving money, credentials, or sensitive data needs an independent verification step — a separate channel, a pre-agreed code word, or a direct in-person confirmation where the risk warrants it.
This is not about training staff to be suspicious of everyone — it's about establishing simple, consistent procedures so that unusual requests have a clear process to follow, and staff are empowered to pause and verify without feeling they're obstructing a legitimate request.
Practical Defences for Small Businesses
Large enterprises can deploy AI-based deepfake detection tools and sophisticated identity verification infrastructure. Most of these are not practical or proportionate for small businesses. The good news is that the most effective defences are procedural, not technical — and they cost very little to implement.
- Establish a pre-agreed code word for sensitive requests. For any request involving payment, credentials, or access changes, require a code word known only to authorised staff. This doesn't need to be elaborate — a rotating monthly word, shared verbally in person. A synthetic voice cannot provide a code word it doesn't have.
- Require dual authorisation for any out-of-pattern payment. Any payment above a threshold, to a new payee, or with a changed bank account should require sign-off from two people — ideally confirmed in person or via a separate, pre-existing channel. The finance employee who receives the request should not be able to action it alone.
- Never update payment details based on a phone call or message alone. Any change to supplier bank details should require written confirmation from the supplier through an existing verified email address, plus a callback to a number sourced independently (from a previous invoice or your own records — not the number provided in the request).
- Limit the public availability of executive audio and video. Voice cloning requires source material. Reducing the amount of publicly accessible voice recordings — removing old webinar recordings, unlisted rather than public LinkedIn videos, limiting podcast appearances where practical — increases the effort required to clone a voice convincingly.
- Run a brief awareness session with your team. Staff don't need to become deepfake detection experts. They need to know that AI voice impersonation exists, that no request — regardless of how authoritative the voice sounds — should bypass your financial controls, and that pausing to verify is always the right call.
- Agree a "safe word" for live calls. For calls where you're uncertain whether you're speaking to a genuine contact, establish a challenge question whose answer only the real person would know — something specific to your relationship, not findable online. "What did we discuss at our last meeting?" or "What's the name of your project manager?" — simple but effective.
The Intelligence Layer
Deepfake attacks don't arrive without warning. Attackers research targets before they act — they look for publicly available information about your business structure, your executives, your suppliers, and your financial processes. The more publicly accessible that information is, the easier the attack becomes to prepare.
Understanding what information about your business is visible online — what a threat actor can learn about you before they pick up the phone — is a meaningful part of managing this risk. Attackers who know your CEO's name, your finance manager's name, your key suppliers, and your recent business activity are better equipped to construct a convincing scenario. Awareness of your own exposure is the first step to reducing it.
Research from Sumsub found that deepfake fraud attempts increased 880% between 2023 and 2025, with financial services, professional services, and small-to-medium businesses representing the fastest-growing target categories. The attacks are not slowing down.
The Practical Takeaway
Deepfake technology has made the human element of security harder to rely on. A voice that sounds like your CEO probably is your CEO — except when it isn't, and there is now no reliable way to tell the difference by ear alone.
The response is not paranoia. It is procedure. Clear, simple, consistently applied processes for verifying unusual requests — independent of the channel the request arrives on — are the most effective defence available. A two-minute verification call to a known, pre-existing number, or a dual-authorisation requirement for payments, costs almost nothing and stops the vast majority of these attacks.
The businesses that will be caught out are the ones that trust the voice on the phone because it sounds right. The ones that won't be are the ones that have decided, in advance, that sounding right is not enough.
Know What Threats Are Targeting Your Sector
Faradome Dash monitors the live threat landscape for your industry — including active social engineering campaigns, newly registered lookalike domains, and intelligence relevant to your business.
Open Threat Dashboard → Talk to Us